osquery-defense-kit/incident_response
Thomas Stromberg 570c36dc71
fpr: tilt, electron, cilium, write/read improvements
2023-03-24 10:42:06 -04:00
..
README.md Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
account_policy_data-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
alf.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
alf_exceptions_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
alf_explicit_auths_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
alf_services.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
app_schemes.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
apps.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
authorization_mechanisms-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
authorizations-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
authorized_keys.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
block_devices.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
certificates.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
chrome_extension_content_scripts.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
chrome_extensions.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
crashes-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
crontab.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
deb_packages.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
disk_encryption.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
disk_events_macos.sql incident_response: bugfixes across queries 2023-02-23 21:24:52 -05:00
dns_resolvers.sql Missing a ; 2022-10-20 14:16:17 -04:00
docker_container_mounts.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
docker_container_ports.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
docker_container_processes.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
docker_containers.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
docker_image_history.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
docker_images.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
es_process_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
etc_hosts.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
event_taps_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
file_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
files-dev.sql incident_response: bugfixes across queries 2023-02-23 21:24:52 -05:00
files-etc.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
firefox_addons.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
gatekeeper_approved_apps_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
groups.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
hardware_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
homebrew-packages-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
interface_addresses.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
interface_details.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
interface_ipv6.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
iokit-registry-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
ip_forwarding.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
iptables.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
kernel_info.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
kernel_modules_linux.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
kernel_panics-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
kextstat_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
known_hosts.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
last.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
launchd_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
launchd_overrides_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
listening_ports.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
logged_in_users.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
loginwindow1.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
loginwindow2.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
loginwindow3.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
loginwindow4.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
memory_map.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
mounts.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
npm_packages.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
nvram-macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
open_files.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
open_sockets.sql Add missing files 2022-10-19 16:56:43 -04:00
os_version.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
package_install_history_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
package_receipts_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
platform_info.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
preferences_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
process-files.sql Rename files-from-proc to process-files. 2023-02-23 17:11:35 -05:00
process_env.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
process_events.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
process_memory_map.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
process_open_files.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
process_open_pipes.sql fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 16:30:17 -05:00
process_open_sockets.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
processes.sql fpr: tilt, electron, cilium, write/read improvements 2023-03-24 10:42:06 -04:00
recent_items_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
rpm_packages.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
running_apps_macos.sql Add privacy-aware version of the IR rules 2023-02-24 17:47:07 -05:00
safari_extensions_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
sandboxes_macos.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
seccomp_events.sql incident_response: bugfixes across queries 2023-02-23 21:24:52 -05:00
selinux_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
shadow.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
shared_memory.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
shell_history.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
sip_config.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
socket_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
ssh_configs.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
startup_items.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
suid_bin.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00
syslog_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
system_controls.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
systemd_units.sql reformat SQL queries 2022-10-20 09:11:29 -04:00
unified_log_macos.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
usb_devices.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
user_events.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
user_ssh_keys.sql Add many new incident response queries 2023-02-23 09:35:38 -05:00
users.sql reformat SQL queries 2022-10-20 09:11:29 -04:00
xprotect_reports.sql Finish out the incident_response refactor 2022-10-19 16:19:53 -04:00

README.md

The incident_response queries originate from the upstream osquery project:

https://github.com/osquery/osquery/blob/master/packs/incident-response.conf

Additional tables have been added and the intervals have been modified.